Can 192.1.1.0 be expanded from /24 to /23?

I am getting close to running out of IP addresses on my /24 network. I was thinking of extending 192.1.1.0 to a /23 subnet but I am trying to remember if this is valid boundary? Would I get a weird condition where 192.1.1.255 and 192.1.2.0 are routable?

I think they setup 192.1.1.0 to avoid some linksys home router issues, at least that was the line fed to me.

And no I do not work for L3. Doing a IP lookup it says BBN communications owns it.

I was hoping to be able to expand and not have to reissue every IP address out there.

192.1.1.0 is a publically routeable network as you have discovered.

192.168.0.0/16 (aka 192.168.0.0-192.168.255.255) is set aside for private networks only.

Sounds like a re-IP address project is in the works for you....

TR

If he is using NAT (most likely case) then it's really only a problem if he needs to communicate with that actual netblock.

True Story: I once interview at a company that had setup its network using examples from a book written by someone at Boise State. They, literally, used Boise State's IP block for their own addressing. It only came to light when someone was trying to send an email to a friend at Boise State.

I think they setup 192.1.1.0 to avoid some linksys home router issues, at least that was the line fed to me.

And no I do not work for L3. Doing a IP lookup it says BBN communications owns it.

I was hoping to be able to expand and not have to reissue every IP address out there.

192.1.1.0 is a publically routeable network as you have discovered.

192.168.0.0/16 (aka 192.168.0.0-192.168.255.255) is set aside for private networks only.

Sounds like a re-IP address project is in the works for you....

TR

This. Overlapping public IP ranges you don't own may not be the end of the world, but you'll have a hell of a time figuring it out when it is a problem.

Yes, already starting to draw this out on paper. SMH. I know a couple things are going to break hard on this (there are a couple programs that for whatever reason hard codes IP addresses at the install).

Even worse, I don't have any Layer 2/3 switches and my router is a TZ 100 which I don't think I can bridge two subnets so I can have 192.1.1.0 exist with the new 192.168.0.0 subnet. I do have a pair of PowerConnect 6224's coming in but they won't be here for a while and I always rather management living on the router, not the switch.

And no I do not work for L3. Doing a IP lookup it says BBN communications owns it.

Wikipedia says BBN handed it off to Level3 in some buyout of Genuity or something. The ARIN registration is unchanged though.

Basically I would say you have 2 choices:

- Do the right thing and move them to 10.10.0.0/23 or something like that.

- Do the easy thing and just enlarge the subnet but you'll have to fiddle with a lot of stuff anyway.

Those things that have the IP hard coded in them should be cataloged and fixed ASAP. That is a pretty huge problem. Depending on how much of this network is DHCP and how much is static, you will spend a bunch of time fixing subnet mask settings anyway so you might as well just do the new IP block.

If you need to worry about downtime and can't take a Saturday to do it all or something, you might look at getting a second gateway device for either temp or permanent use for the new network. Something like a layer 3 switch inside the current gateway would let you do some wizardry to replace the current gateway and work things out with minimal downtime.

Well I am just weeks away from starting up our virtualization project which gives me some flexibility. Problem is should I stand up new AD, DNS, and DHCP servers prior to migration, then setup new DHCP scopes? Would I need to setup new forward and reverse lookup zones?

The extra fun in all this, there is only 1 DNS server and AD server in service. Almost wonder if I should setup a new 2003 VM as my second AD/DNS pair so I have a replica first.

Ooh that is a good idea to setup pfSense. The traffic load would be pretty light so it should be able to handle it. A good option if I need a longer-than-a-weekend window. I am conversing with my vendors now to see how many have IP tie ins. My big one I thought I would have a problem with has given me a script to change out IP for FQDN entries which will be a big help.

Not sure if I need a whole /8, I was thinking a /23 (!0.10.0.0) but then again I certainly would never run out of IP space.

We use 10.1.0.0/16 for our HQ network. Effectively unlimited and let's you somewhat logically organize stuff (you have 10.1.(0-255).x) to work with.

If you actually had thousands of devices in one location you'd want them in their own broadcast domains, but for most places with only a few hundred tops, having one big layer2 data network generally isn't an issue.

I have worked with very large organizations where we would deal with a /8 or /16. After some investigation late last night I discovered we had a number of stale DHCP leases that were taking up space so we are using about 60% total of a /24 network. Now we are growing, and I am about to split our 6 servers into ~35-40 servers, but it almost seems a bit overkill to create really anything but a /23 that would manage for at least a couple years.

Then again it's nice to know the head room is there if we explode in growth.

From the network perspective a /8 is no different then a /24. Since everything is going to be in the same broadcast domain anyway why limit yourself? Do you want to re-mask everything in a year when you want to move stuff around?

You can think of them logically as a bunch of /24's if you want, but really they are one big network. Unless you actually need to enforce ACLs between the subnets (most don't) or need to do some crazy routing, I don't see a reason to not keep them all in the same network.

From the network perspective a /8 is no different then a /24. Since everything is going to be in the same broadcast domain anyway why limit yourself? Do you want to re-mask everything in a year when you want to move stuff around?

I strongly disagree...if you've ever been through a company merger, or deployed partner/extranets, or had large amounts of work-from-homers, you'll want to maintain the smallest viable subnet to avoid overlap.

My experience agrees with keeping the network manageable in size. Sure it is nice not to have to worry about address exhaustion but it is relatively easy to expand a subnet if you have good control over your network using DHCP and have good info on your statically configured stuff. Picking a good network address to start with is important, and planning for expansion is important. Don't set your office network with 10.0.0.0/24 and your DMZ for web servers with 10.0.1.0/24 since you might need to expand 10.0.0.0 to /23 some day.

In my experience networks tend to grow in complexity and purpose more than in size. We add more 'stuff' that does different things than we add people so we tend to need more diverse network segments than large blocks of IPs for single layer 2 segments.

I am really leaning towards carving up some /24's from a larger /16 pool. The question becomes it is acceptable to allow my two new core switches (Dell PowerConnect 6224s) to manage the VLANs and routing or should I invest in a "more proper" router or firewall to handle it.

It really depends on your design. If your reason for segmenting the networks is simply management of purpose defined network segments, then using a layer 3 switch is great for that. If you need security and access controls for the different network segments, you need a firewall or similar device to do that.

I think they setup 192.1.1.0 to avoid some linksys home router issues, at least that was the line fed to me.

I've seen this before, and it's always because someone didn't know how to properly set the VPN up. There are ways to mitigate overlapping VPN and home IP spaces (no split tunneling mostly).

A fair amount of those low end VPN endpoints don't do any NAT for tunnels. I know Linksyses had the problem as well as 1 or 2 other brands. Also something that wasn't a best buy special (something Dell sold that somebody else made; I think the hardware was red? Memory is fuzzy) had the same issue.

Having done hundreds of VPN tunnels to healthcare vendors, partners, billers, etc, some of the shit hardware people try to use makes you shake your head.

I think they setup 192.1.1.0 to avoid some linksys home router issues, at least that was the line fed to me.

And no I do not work for L3. Doing a IP lookup it says BBN communications owns it.

I was hoping to be able to expand and not have to reissue every IP address out there.

192.1.1.0 is a publically routeable network as you have discovered.

192.168.0.0/16 (aka 192.168.0.0-192.168.255.255) is set aside for private networks only.

Sounds like a re-IP address project is in the works for you....

TR

If he is using NAT (most likely case) then it's really only a problem if he needs to communicate with that actual netblock.

True Story: I once interview at a company that had setup its network using examples from a book written by someone at Boise State. They, literally, used Boise State's IP block for their own addressing. It only came to light when someone was trying to send an email to a friend at Boise State.

At my last job, we worked with a school district that used public IP space registered to S. Korea for all of their internal networks. when I pointed this out to them, their answer was, "Well, it's not like we're ever going to need to contact those address in the outside world."

I just shook my head and finished the work I was doing. It's not like there's a dearth of private IP space. Plus, some of it's damn simple to set up and use e.g. 10.x space.

Anecdote: we had a sales rep in... Guatemala I think. He was not able to VPN into our network. I had him run ipconfig and turned out the ISP he was using had squatted on a reserved (unused) IP range. Yeah his public IP was squatted. Funniest damn thing ever. I guess this ISP was shady (in Central America? Nooooo????!). Their "customers" were probably fine as long as they sent e-mail and browsed the web. The ISP probably routed the traffic through proxies. But try something like VPN and yeah it don't work, son.

Some more war stories. On one of the first days of my job as a federal contractor, I noticed that they were using public addresses for their entire private network, deliberately. 66.100.201.x, 66.100.205.x, and 151.200.205.x were the addresses (man why do I still remember that), three full /24's for each site. I was dumfounded that they were not using internal addresses and lobbied the network "designer" to make changes. The reality was we needed maybe 4-6 external address at best. My lobby proved fruitless.

Well fast forward a few years and thanks to the TIC (Trusted Internet Connection) we were about to lose those addresses from those carriers (Savvis, L3, and VZ). So this was the perfect time to readdress everything. We were moving a site, we needed far more address space thanks to VoIP, increased users, etc. Well once again I lobbied to get out scheme changed and I was told:

a) we would continue to use these 3 class C's after they are no longer ours andb) petition ARIN for at least 16 more class C's

Needless to say ARIN laughed at us and denied us the request, and a couple months in one of the class C's was being used by a outsourced firm and could not connect to us. Hilarity ensued. I had left a little bit before that episode but I just could not fathom why they demanded using external addresses for every object on the network.

Well on the topic of hand I think I am going to go with a single /16 broadcast domain -or- carve up that same /16 into some /24 and /23 segments. I am leaning to the single broadcast just for simplicity and then if I need more complexity I will change the subnet masks on said devices.